How do I validate (prevent XSS attacks) from a WYSIWYG user input?

A WYSIWYG enables a user to enter rich text into an input field among other things.

However, the text and other content is submitted as HTML code.

These problems exist:

  1. A user can inject script tags into their input, posing a risk for XSS attacks. You cannot strip all tags because that would defeat the purpose of using a WYSIWYG editor.
  2. In addition to script tags, a user can use javascript attributes like onclick, onmousemove, etc…

What is the best way to go about validating and sanitizing the user input.

(Btw, using php for backend)

You’ll want to filter the HTML submitted on the backend. The most popular package for that in PHP, used by large applications like Drupal and Joomla, would be HTML Purifier. You can install it with composer, if you’re using that.

composer require ezyang/htmlpurifier

1 Like

@chuckadams
Thank you very much. I will use this.